[clang-analyzer-security.insecureAPI.strcpy] extend list of unsafe functions

[ingo-loehken]

Hi,

it would be nice, if the list of functions, that are marked as unsafe would be extensible or include i.e. the following (under windows and atl/mfc microsoft propietary stuff)

• _strcpy
• _strdup
• _strcat
• _tcscpy
• _tcscat
• _tcsdup
• lstrcpy
• lstrcat
• strncpy
• strncat

Check: https://clang.llvm.org/docs/analyzer/checkers.html#security-insecureapi-strcpy-c Label : clang-tidy Type: Enhancement

[llvmbot]

@llvm/issue-subscribers-clang-static-analyzer

Author: None (ingo-loehken)

Hi, it would be nice, if the list of functions, that are marked as unsafe would be extensible or include i.e. the following (under windows and atl/mfc microsoft propietary stuff) - _strcpy - _strdup - _strcat - _tcscpy - _tcscat - _tcsdup - lstrcpy - lstrcat - strncpy - strncat Check: https://clang.llvm.org/docs/analyzer/checkers.html#security-insecureapi-strcpy-c Label : clang-tidy Type: Enhancement

[llvmbot]

Hi!

This issue may be a good introductory issue for people new to working on LLVM. If you would like to work on this issue, your first steps are:

1. Check that no other contributor has already been assigned to this issue. If you believe that no one is actually working on it despite an assignment, ping the person. After one week without a response, the assignee may be changed.
2. In the comments of this issue, request for it to be assigned to you, or just create a pull request after following the steps below. Mention this issue in the description of the pull request.
3. Fix the issue locally.
4. Run the test suite locally. Remember that the subdirectories under test/ create fine-grained testing targets, so you can e.g. use make check-clang-ast to only run Clang's AST tests.
5. Create a Git commit.
6. Run git clang-format HEAD~1 to format your changes.
7. Open a pull request to the upstream repository on GitHub. Detailed instructions can be found in GitHub's documentation. Mention this issue in the description of the pull request.

If you have any further questions about this issue, don't hesitate to ask via a comment in the thread below.

[llvmbot]

@llvm/issue-subscribers-good-first-issue

Author: None (ingo-loehken)

Hi, it would be nice, if the list of functions, that are marked as unsafe would be extensible or include i.e. the following (under windows and atl/mfc microsoft propietary stuff) - _strcpy - _strdup - _strcat - _tcscpy - _tcscat - _tcsdup - lstrcpy - lstrcat - strncpy - strncat Check: https://clang.llvm.org/docs/analyzer/checkers.html#security-insecureapi-strcpy-c Label : clang-tidy Type: Enhancement

[steakhal]

Makes sense to me. We should doublecheck how those calls are named on Windows to be sure.

[haoNoQ]

Arguably strncpy is significantly "more" secure than strcpy. It's still insecure but it was specifically built to address the main problem with strcpy. So it shouldn't necessarily be on the same list just because the name sounds similar. It may be better to put it under a separate flag because folks may be ok with one but not the other.

[ParkHanbum]

Hi. I'd like to fix this issue, can you point me to a commit that I can refer to?

[fawdlstty]

@ParkHanbum Hi. Are you still working on it? I noticed that there has been no new information on this issue for a week in a row. Can you assign the issue to me? I would like to work on it and try and solve it, as a beginner coder. I will be very grateful to you.

[ParkHanbum]

@fawdlstty I didn't get this, so you don't have to ask me.

[fawdlstty]

I can't find the api that starts with _ in my windows sdk (10.0.22621.0). Might it have been removed?

[ingo-loehken]

<string.h>, apis that start with _. But I did not find _strcpy yet...